What is Spamhaus Don’t Route Or Peer Lists?
Spamhaus Don’t Route Or Peer (DROP) Lists are essentially “avoid at all costs” lists for network administrators. They consist of IP addresses belonging to networks identified as:
• Spam generators: These are networks hosting known spam operations, sending out unsolicited emails in bulk.
• Cybercrime operations: These networks house malware distribution centers, phishing servers, or other tools used for illegal activities.
• "Hijacked" or leased networks: These are networks that have been compromised and taken over by malicious actors for nefarious purposes.
Essentially, the DROP Lists serve as warnings for internet service providers (ISPs), network operators, and other entities responsible for routing internet traffic. They advise to completely block all traffic originating from the listed IP addresses to prevent spam, malware, phishing attacks, and other harm from reaching their users.
There are two main DROP lists:
• The DROP List: This is the primary list, containing the most serious offenders with confirmed involvement in malicious activities.
• The Extended DROP List (EDROP): This is a broader list that includes networks exhibiting suspicious behavior or potential ties to spam or cybercrime, even if conclusive evidence is still under investigation.
By implementing DROP Lists in their routing configurations, network administrators can:
• Protect their users: Blocking traffic from DROP-listed networks significantly reduces the risk of users receiving spam, malware, or falling victim to cyberattacks.
• Improve network performance: Spam and malicious traffic can clog up network resources, slow down legitimate traffic, and increase costs. Blocking from DROP lists reduces this burden.
• Contribute to a cleaner internet: By refusing to accept traffic from DROP-listed networks, network operators help to isolate and disrupt spam and cybercrime operations.
However, it’s important to note that DROP Lists are just one tool in the fight against spam and cybercrime. They should be used in conjunction with other security measures like firewalls, intrusion detection systems, and email filtering technologies.
Goal: Apply Spamhaus alias to drop Inbound WAN and Outbound/Inbound LAN traffic on OPNsense from known bad networks.
Enable Spamhaus DROP Firewall Alias
Configure an firewall alias and use Spamhaus database of malicious networks to determine which networks packets are to be dropped.
1. Go to Firewall > Aliases > All and press the Add a new alias button in the top right corner of the form.
Enter the following data:
| Name | spamhaus_drop | Name of our alias |
| Description | Spamhaus DROP | Freely chosen description |
| Type | URL Table (IPs) | URL type |
| Host(s) | https://www.spamhaus.org/drop/drop.txt | Don’t Route Or Peer List |
| Name | spamhaus_edrop | Name of our alias |
| Description | Spamhaus EDROP | Freely chosen description |
| Type | URL Table (IPs) | URL type |
| Host(s) | https://www.spamhaus.org/drop/edrop.txt | Extended Don’t Route Or Peer List |
Apply firewall Alias: (Block Inbound)
Apply firewall rules to block inbound traffic for spamhaus drop alias on WAN interface.
1. Go to Firewall > Rules > Select the WAN tab and press the + icon in the lower right corner.
| Action | Block | Choose block to drop the incoming traffic |
| Interface | WAN | Should be the default value |
| TCP/IP Version | IPv4 | For our example we use IPv4 |
| Source | spamhaus_drop | Our alias for the DROP list |
| Category | Spamhaus | Freely chosen Category |
| Description | Block DROP | Freely chosen description |
| Action | Block | Choose block to drop the incoming traffic |
| Interface | WAN | Should be the default value |
| TCP/IP Version | IPv4 | For our example we use IPv4 |
| Source | spamhaus_edrop | Our alias for the DROP list |
| Category | Spamhaus | Freely chosen Category |
| Description | Block EDROP | Freely chosen description |
Apply firewall Alias: (Block Outbound)
Apply firewall rules to block outbound traffic from LAN interface using spamhaus alias. If there are VLAN interfaces, apply the alias to those as well. I suggest making a floating rule if there are multiple interfaces.
1. Go to Firewall > Rules > Select the LAN tab and press the + icon in the lower right corner.
| Action | Block | Choose block to drop the incoming traffic |
| Interface | LAN | Should be the default value |
| TCP/IP Version | IPv4 | For our example we use IPv4 |
| Destination | spamhaus_drop | Our alias for the DROP list |
| Category | Spamhaus | Freely chosen Category |
| Description | Block DROP | Freely chosen description |
| Action | Block | Choose block to drop the incoming traffic |
| Interface | LAN | Should be the default value |
| TCP/IP Version | IPv4 | For our example we use IPv4 |
| Destination | spamhaus_edrop | Our alias for the DROP list |
| Category | Spamhaus | Freely chosen Category |
| Description | Block EDROP | Freely chosen description |
Test
1. Confirm the IP addresses are present in the alias by going to Firewall > Diagnostics > Alias > Select Spamhaus Drop
2. Any inbound/outbound traffic to and from the addresses listed on the droplist will fail.
https://www.spamhaus.org/drop/drop.txt
Source
Steven's Event Log 